Ransomware Risk

Ransomware has become a significant risk for companies of all shapes and sizes. It takes many forms, from attackers encrypting your data and only letting you decrypt it for a fee, stealing your data and threatening to widely publish it unless you pay, through to threatening to disable your IT systems unless you meet their demands. The attackers are well-resourced and sophisticated organized criminal groups or rogue nation states. You need to not just think you are protected from this threat – but to know you are protected – use this guidance as a start.


Issue Organized criminal groups and rogue nation states are increasingly using cyberattacks to extort money from people and corporations. This is a lucrative business for them with typical extortion payments running into millions of dollars. The most common pattern here is to infect a company with a virus or other malware (known as ransomware) that encrypts your data so you can’t use your data or systems, or they could hack through an exposure in your network perimeter and then plant the ransomware directly. When you have been compromised, they will ransom your data by demanding you pay to have the data decrypted and to additionally avoid the attackers widely publicizing sensitive data they may have stolen.

Guidance Defending against these attacks has much in common with defending against other forms of cyber-attacks. It requires a set of basic IT controls be implemented along with comprehensive and well tested backups of your data and systems. You should have a comprehensive program beyond this, but at least do the following:

1. Patch and Secure. Keep all your systems patched and up to date – especially security patches. Implement and continuously monitor system security configurations, especially for critical systems like core systems, Active Directory, cloud services and perimeter networks. Use CIS benchmarks: https://www.cisecurity.org/cis-benchmarks/

2. Lock Down Privilege. Heavily restrict who has administrative privilege to download and install software in your environment – only a small number of trained system administrators should be able to do this. Block or constrain the use of portable media control like USB storage and encrypt what you do use.

3. Filter Content. Filter e-mail and Internet access such that spam, malware, phishing and malicious web sites are blocked.

4. Actively Defend. Run end point (on mobile devices, desktops and servers) security software to block and report viruses, ransomware and other malware and attacks. Implement software whitelisting so only known good software can run. Bring back activity logs to a central secure storage location.

5. Harden the Perimeter. Harden your Internet perimeter – make sure your web sites and Internet access are regularly scanned for vulnerabilities and those issues fixed. Make sure there’s no open ports are that easily accessible by attackers. Make sure firewall or other security gateways are reviewed regularly for the right rule sets.]

6. Strongly Authenticate Access. Implement strong authentication (hardware tokens, or authentication apps on smart phones) for any remote access to your environment or services you use in the cloud (e.g. Office 365).

7. Isolate Critical Data/Systems. Isolate and encrypt your most critical IT assets and data, such as customer records, payment information, core intellectual property, authentication systems (e.g. Active Directory) in a segmented part of your environment. Encrypt content on your mobile devices and enforce mobile device security.

8. Back Things Up. Back-up your data and systems and regularly test that works by recovering it to actual clean systems – not just inspecting the back-ups. Encrypt your back-ups. Make sure the back-ups are kept off-line or are otherwise immutable.

9. Manage Access. Manage identity and access to your on premise, cloud or vendor systems. When someone leaves have the ability to terminate all their access quickly. Check this is working constantly.

10. Check Your Vendors. Finally, for any vendors that could cause you or your customers problems if they have an issue with your data or services, then make sure they are doing these things as well.


Broader Considerations If you haven’t done a security penetration test recently then conduct one, and consider making the vulnerability assessment a regular process, and have the testing vendor focus on your ability to resist ransomware events. Also, whether or not you think you are in good shape you should develop an incident response playbook for ransomware events and conduct a leadership drill to test your ability to respond, and business continuity strategy in case of an attack (including but not limited to, Disaster Recovery Failover).

The playbook should include immediate escalation to the board, law enforcement, and information security vendors. Depending on the information that is compromised, you may also need to report to regulatory or other government bodies. You should consider whether any information compromised is considered Personal Data as that will create additional reporting obligations.

You should verify your cybersecurity and/or business disruption insurance policies to ensure ransomware coverage is in place.


Guidance Note
This guidance is provided for the benefit of County Tipperary Chamber of Commerce membership companies and is not intended to be shared further. You should always consult your legal, compliance, risk or security teams or designated legal counsel before making critical decisions for your business. 

Should you require additional guidance or support  from IDPAA on any Data Protection related matters or concerns please contact Paula Carney-Hoffler on 052 614 6220/0872681891 or via email paula@idpaa.ie 

Confidentiality                                                                                                                                                         
No part of this material may, without IDPAA Limited prior written consent, be (i) copied, photocopied or duplicated in any form, by any means, or (ii) distributed to any person that is not an employee, officer, director, or authorised agent of the recipient.© 2020 IDPAA Limited All rights reserved.